WebApp Sec mailing list archives
oauth token authentication
From: saghar estehghari <s.estehghari () gmail com>
Date: Mon, 12 Aug 2013 17:03:54 +0200
Hi, On a cloud project that i'm currently working, we authenticate the clients by password and get access to their keys using their password (using a PBKDF2 function). However, we want to provide the user with another option which is authenticating with an oath token. So the problem that I'm facing right know is that if the user doesn't type a password then I can't access his key. As the passwords are saved hash-salted in the DB. I know that we can add some parameters to the token (e.g. adding the encrypted password for accesing the key) , but it seems to me insecure, as the tokens are vulnerable to replay attacks (and it possible that expiration date would be long)! So I was wondering whether any of you had faced the similar problem and could help me with your ideas :) Thanks for your time Regards This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- oauth token authentication saghar estehghari (Aug 13)